False Positives: The Best Way to Kill a Good Initiative
Or; When Security Departments Cry Wolf
Remember Aesop's fable "The Boy Who Cried Wolf"? Not only is it a pretty good story, filled with conflict, danger, lying and comeuppance, it has served as a precautionary tale to several generations. Little kids around the world have learned that if you lie, people are going to stop believing you.
This fable speaks directly into our jobs as security practitioners. The more we raise alerts about issues that either don't exist, or aren't worth the attention we give them, the less interested people are in hearing what we have to say. If we do it too much, eventually when we scream that the wolf is at the door, we will be ignored, and see our data get eaten up.
This reality can be experienced in a number of ways.
1. The way we present security assessment findings. The most important thing we can do to ensure our words are taken seriously, is be realistic about the threats we report. Not every threat is a severity 1, and they don't all need to be remediated immediately. Consider the likelihood and impact of a threat in your environment, and suggest remediation accordingly. When you do find that big bad issue, your warning will be taken much more seriously if they've seen you downplay the significance of other vulnerabilities in the past.
2. How we react to the news of new zero day attacks we learn about from the media. Reports of breaches, zero day viruses and cyber war make for compelling news. And your CEO may see one of these stories and start thinking about information security for the first time in months. This can lead to urgent conversations and directives to immediately make sure that "we are safe from this kind of thing." In effect, the news media is doing the "crying wolf" but InfoSec professionals are the ones to deal with the fallout.
In these cases, we must make a careful measured response to these questions. We cannot let the current paranoia around Wikileaks and Stuxnet force our hand to make security decisions that don't make sense as an organization. Use these opportunities as a chance to explain how we determined what defenses we would put in place, and how these news-worthy events tie into our security strategies. If we handle these situations wisely, these sensational security events can be good advertising for us, as a chance to showcase our methodologies and systems.
3. The noise coming from our security systems. IDS/IPS, DLP and SIEM systems are all known for their high rates of false positives if they are not properly tuned for the environment. Those false positives can sap away the power those systems have. If our technical staff continuously receives email alerts from the IPS, and upon researching them, finds that they are every day traffic and requires no action, those emails are going to start being ignored. So when the hacker really is attempting to infiltrate the network, their actions will be ignored.
Every security system we implement should go through thorough false positive tuning before it's placed into a production environment. IDS/IPS, DLP and SIEM are all known for producing a lot of noise that is likely to turn off their users if the noise isn't turned off itself. By doing the tuning work on the front end, we ensure a smoother experience for the end users, and increase our odds of having a highly successful implementation.
While these situations are distinct and disparate they can be addressed by the same solution. Figure out what matters to you, AND what does not matter to you. Successful information security programs don't try to mitigate every risk, they investigate their risks and then sort them into groups based on which they will deal with now, later or never. It's just as important to know which items we will never deal with as to know which we are dealing with, so when those unimportant issues pop up we can quickly squelch them, and reduce unnecessary noise, be that an audit finding, IDS alert, or a virus scare reported by the media. By keeping quiet about the things that are not an issue we can expect that when we do need to scream wolf, our voice will be fresh and loud, and the business will come running to help.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.